The Heartbleed Bug – a security threat you need to act on

The Heartbleed coding error may have been around for three years, affecting two-thirds of computer servers. Photograph: Pawel Kopczynski/Reuters

What is the Heartbleed bug?

The Heartbleed Bug is a serious weakness in the popular OpenSSL cryptographic software library which affects the majority of the Internet servers in the world. In simple terms, this weakness allows information thought to be protected by a Web server’s encryption to be stolen by hackers. You can learn more about the Heartbleed bug from Heartbleed.com and the other Web sites linked below.

The good news: You can protect yourself by taking action (read on).

The bad news:

Bruce Schneier, a security expert not much given to hyperbole, [called Heartbleed] a “catastrophic” flaw. “On the scale of one to 10,” he wrote, “this is an 11.”

This is a serious worldwide threat that “…allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.” (Heartbleed.com)”

Fixing Heartbleed: There is a 2-level protection strategy. You can protect yourself by taking action.

Fixed OpenSSL has been released. To plug the vulnerability, “Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.” (Heartbleed.com)

If you are a user, you MUST update your password on each website AFTER the fix has been installed, because there is no way of knowing whether your previous password has been hacked before the fix was installed.

How the bug was created by a PhD student named Robin Seggelmann while working on the OpenSSL project New Year’s Eve, 2011. Seggelmann told the Guardian, “I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight.”

Should you change your passwords: Yes, but wait for confirmation from the Website operator that the bug has been patched.